CVE-2022-25646 - OpenCVE

All versions of package x-data-spreadsheet are vulnerable to Cross-site Scripting (XSS) due to missing sanitization of values inserted into the cells.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
X-data-spreadsheet Project	X-data-spreadsheet

Configuration 1 [-]

cpe:2.3:a:x-data-spreadsheet_project:x-data-spreadsheet:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/myliang/x-spreadsheet/issues/580	Exploit Issue Tracking Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-XDATASPREADSHEET-2430381	Exploit Third Party Advisory
https://youtu.be/Ij-8VVKNh7U	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2022-08-30T00:00:00

Updated: 2022-08-30T05:05:17

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-25646

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-30T05:15:07.607

Modified: 2022-09-01T20:39:08.037

Link: CVE-2022-25646

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "x-data-spreadsheet", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Veysel Xan"}], "datePublic": "2022-08-30T00:00:00", "descriptions": [{"lang": "en", "value": "All versions of package x-data-spreadsheet are vulnerable to Cross-site Scripting (XSS) due to missing sanitization of values inserted into the cells."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Cross-site Scripting (XSS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-30T05:05:17", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.snyk.io/vuln/SNYK-JS-XDATASPREADSHEET-2430381"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/myliang/x-spreadsheet/issues/580"}, {"tags": ["x_refsource_MISC"], "url": "https://youtu.be/Ij-8VVKNh7U"}], "title": "Cross-site Scripting (XSS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-08-30T05:00:11.523995Z", "ID": "CVE-2022-25646", "STATE": "PUBLIC", "TITLE": "Cross-site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "x-data-spreadsheet", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Veysel Xan"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "All versions of package x-data-spreadsheet are vulnerable to Cross-site Scripting (XSS) due to missing sanitization of values inserted into the cells."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://security.snyk.io/vuln/SNYK-JS-XDATASPREADSHEET-2430381", "refsource": "MISC", "url": "https://security.snyk.io/vuln/SNYK-JS-XDATASPREADSHEET-2430381"}, {"name": "https://github.com/myliang/x-spreadsheet/issues/580", "refsource": "MISC", "url": "https://github.com/myliang/x-spreadsheet/issues/580"}, {"name": "https://youtu.be/Ij-8VVKNh7U", "refsource": "MISC", "url": "https://youtu.be/Ij-8VVKNh7U"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2022-25646", "datePublished": "2022-08-30T00:00:00", "dateReserved": "2022-02-24T00:00:00", "dateUpdated": "2022-08-30T05:05:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:x-data-spreadsheet_project:x-data-spreadsheet:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "EAB5CA5D-367A-4344-8151-1C2C41E9CD2D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "All versions of package x-data-spreadsheet are vulnerable to Cross-site Scripting (XSS) due to missing sanitization of values inserted into the cells."}, {"lang": "es", "value": "Todas las versiones del paquete x-data-spreadsheet son vulnerables a un ataque de tipo Cross-site Scripting (XSS) debido a una falta de saneo de los valores insertados en las celdas"}], "id": "CVE-2022-25646", "lastModified": "2022-09-01T20:39:08.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-08-30T05:15:07.607", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/myliang/x-spreadsheet/issues/580"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-XDATASPREADSHEET-2430381"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://youtu.be/Ij-8VVKNh7U"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}